Cyber Weekly Roundup – February 7, 2017

Written February 7th, 2017

1.) It might be time to stop using antivirus | Ars Technica (January 26, 2017)

Summary: This is a rather interesting article that questions whether anti-virus is helping or hurting our security posture. From our perspective, it’s still up for debate whether or not the average user should get rid of anti-virus any time soon, recent vulnerabilities in anti-virus programs that were discovered by Google’s zero day suggests that sometimes adding A/V software to your computer opens the attack surface of your device. For businesses, the other security controls put into place may very well compensate for traditional (signature-based) anti-virus software. At the very least, it’s time the traditional A/V companies like Norton and Symantec start rethinking how they do A/V.

2.) Now there’s a better way to prevent Facebook account takeovers | Ars Technica (January 26, 2017)

Summary: Facebook is now supporting a low cost two factor authentication solution using a USB “security key” (details at https://arstechnica.com/security/2016/12/this-low-cost-device-may-be-the-worlds-best-hope-against-account-takeovers/). With support from such a large company like Facebook, this becomes an intriguing option to help prevent phishing attacks and account takeover if more companies adopt this authentication that is cheaper than other forms of two factor authentication and probably easier than smartphones.

3.) Breach Database Site “LeakedSource” Goes Offline After Alleged Police Raid (January 26, 2017)

Summary: This story details the potential shutdown of a site called leakedsource, which would sell user names, hashes, and passwords (if leakedsource could crack the hash) to the public based off data dumps from data breeches by black hat hackers. Police recently shut down the site, which had indexed more than 3.1 billion compromised account records in the past year.

4.) For the Next election, don’t Recount the Vote. Encrypt it. (January 27, 2017)

Summary: Through the use of encryption and a technique called “homomorphic encryption,” cryptographers have proposed an electronic voting system that would provide integrity and confidentiality in the US voting system, which would negate the need for recounts and provide oversight into the nation’s voting system without compromising voter privacy. In addition, this system would also help combat any chance of outside interference in US elections and voter fraud.

5.) Ransomware Took DC Cameras Offline Ahead of Inauguration (January 30, 2017)

Summary: Even though no ransom was paid on this one, this is a great examples of how cyber criminals spot an opportunity for a successful ransom payment. Locking up the cameras at any time would be concerning, but locking them so close to the inauguration adds an additional level of pressure to pay the ransom.

6.) Doxxing Raises the Stakes for Ransomware for Healthcare Providers (January 30, 2017)

Summary: Ransomware is continuing to evolve. Now that industries are becoming accustomed to the “normal” attack paths of ransomware (encrypt some data, wait for payment) and are (hopefully) applying the necessary controls to mitigate the risks, cyber criminals are trying different tactics to ensure payment. By attacking systems that require high availability (door lock systems to hotels, where they need to be up at all times for their clients) and high confidentiality (threatening to release a hospital’s patient records), the criminals are trying to place pressure on organizations to give them less time to think through the risks of paying the ransom, and instead illicit a “knee-jerk” reaction to increase the chances of payment. The threat of releasing data, known as doxing, is especially concerning, as it throws out the previous mitigating controls – recovering your data from a backup. With this new tactic, however, if the attacker has successfully gained confidential records, data recovery is not going to fix the problem.

7.) This Luxury Hotel Is Sick of Ransomware Attacks, So It’s Going Analog (January 29, 2017)

Summary: When trying to eliminate risk from an organization, there are a few options. Risk mitigation is what we as InfoSec professionals are probably most familiar with: firewalls, two-factor authentication, and encryption all attempt to reduce risk while still allowing for the operation of an information system. However, one hotel is taking a different approach – risk avoidance by moving back to “analog” locks during their next modernization. They will be removing the system altogether to remove the risk. As society continues to adopt more internet connected devices, this incident and the response is a good example of where it may be worthwhile to stop and ask if the benefits of cutting edge tech are worth the risks.

8.) Data Breaches Exposed 4.2 Billion Records In 2016 (January 25, 2017)

Summary: Data breaches are (as always) a big deal. 2016’s exposure of over 4.2 billion data records was a massive increase from the previous record of 1 billon records exposed in 2013. Interestingly, “Researchers discovered the number of data breaches was fairly consistent between 2015 and 2016, but their severity skyrocketed,” which could indicate that even though more organizations are storing their information digitally, utilizing big data, and more users are creating an online presence via accounts to different services, the way we guard this increased data has not shifted dramatically since last year.

9.) Uber.com Backup Bug Nets Researcher $9K (January 26, 2017)

Summary: Another great example of how bug bounties, when run effectively, can be a big win for both companies and the security researchers/white hats. The vulnerability that Vladimir Ivanov discovered no doubt had a high single loss expectancy for Code42 and Uber that was well over $9,000, so they have essentially mitigated a risk at a much lower cost than if the risk had been exploited. On the other hand, the amount of work put in by Vladimir Ivanov probably made the effort worth the $9000 reward he received. By leveraging the security community, and giving potential future black hats a legitimate and legal path for receiving compensation for their work, the commercial industry can de-incentivize the activities of black hats while also shoring up their security.